nfs server within jail

andrewm659

Active Member

Reaction score: 4
Messages: 130

Is this possible? I have seen older threads stating this is not possible. But I think it might have to do with older versions...

do I need to explicitly disable nfs and rpc on the host?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,181
Messages: 29,471

I have seen older threads stating this is not possible. But I think it might have to do with older versions...
Yeah, older versions of rpcbind(8)/mountd(8) couldn't be bound to a specific IP address. But this should now be possible. Never tried it in a jail though but all the required utilities are now able to bind specific IP addresses so in theory it should work.
 
OP
OP
andrewm659

andrewm659

Active Member

Reaction score: 4
Messages: 130

I think the key phrase here is "IN THEORY" :)

I'll continue to research.

Thank you!
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,181
Messages: 29,471

I think the key phrase here is "IN THEORY" :)
Yeah, I've never done it myself so I can only speculate. Just make sure any NFS related services on the host are specifically bound to the host's IP address. Typically these services run on '*' (all addresses) and thus may catch requests that are actually targeted at the jail's IP addresses. This will cause all sorts of weird and wonderful conflicts.
 

ANOKNUSA

Aspiring Daemon

Reaction score: 372
Messages: 675

I honestly can't see any benefit to running NFS inside a jail. Accessing NFS over the Internet is a bad idea no matter how you do it. If you're using NFSv2 NFSv3 there's no authentication or encryption, hence no real security no matter where the source is. If you're using NFSv3 NFSv4 you have Kerberos authentication, which makes the jail superfluous.. The jail just adds extra hassle.

EDIT: Fixed NFS version numbers.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,181
Messages: 29,471

If you're using NFSv2 there's no authentication or encryption, hence no real security no matter where the source is. If you're using NFSv3 you have Kerberos authentication, which makes the jail superfluous..
NFSv3 has no authentication, NFSv4 can use Kerberos. NFSv2 is pretty much dead and deprecated.
 

ANOKNUSA

Aspiring Daemon

Reaction score: 372
Messages: 675

NFSv3 has no authentication, NFSv4 can use Kerberos. NFSv2 is pretty much dead and deprecated.
My mistake. I fixed my post.

I was hoping to export my rancid directory from the jail.
You can use nullfs(5) to mount a directory on the host inside the jail. Just create an fstab file for the mountpoint with the name /etc/fstab.[jail_name], similar to this:

Code:
/path/to/RANCID/data/directory /path/to/RANCID/mountpoint/in/jail  nullfs   rw             0       0
Then add a line to /etc/jail.conf to mount the directory when the jail is started.:
Code:
...
mount.fstab = /etc/fstab.[jail_name];
...
You could then export the directory over NFS from the host system while also having it mounted in the jail.
 

jgreco

New Member


Messages: 3

Yeah, I've never done it myself so I can only speculate. Just make sure any NFS related services on the host are specifically bound to the host's IP address. Typically these services run on '*' (all addresses) and thus may catch requests that are actually targeted at the jail's IP addresses. This will cause all sorts of weird and wonderful conflicts.
This usually works with userland processes, but in the case of NFS and jails, there are some unresolved issues because it is a kernel service and there are some problems, particularly with NFS locking, where the kernel doesn't obey binding to a specific interface, instead sourcing it as it desires, and there are some lesser issues as well.

I honestly can't see any benefit to running NFS inside a jail. Accessing NFS over the Internet is a bad idea no matter how you do it. If you're using NFSv2 NFSv3 there's no authentication or encryption, hence no real security no matter where the source is. If you're using NFSv3 NFSv4 you have Kerberos authentication, which makes the jail superfluous.. The jail just adds extra hassle.
I honestly don't understand why you've equated running NFS inside a jail to accessing NFS over the Internet. For those of us engineering resilient networks and services, jails are a convenient abstraction. Bind a jail to a loopback interface and inject it into the routing environment. If you're doing things like this, you really don't want the kernel deciding to use any of the server's ethernet interfaces as a traffic source. If I can use a jail, I can let the routing protocol handle things like link failure, traffic balancing, and other network management issues (especially between sites) with an IGP such as OSPF. As it stands, FreeBSD can't do this correctly, which is unfortunate, but I understand that most people don't pursue the sorts of redundant network designs that I've been doing for several decades, and therefore there isn't really a lot of awareness of the deficiency here.
 

bds

Member

Reaction score: 9
Messages: 45

# cat /usr/ports/net/unfs3/pkg-descr
UNFS3 is a user-space implementation of the NFSv3 server specification. It
provides a daemon for the MOUNT and NFS protocols, which are used by NFS
clients for accessing files on the server.
Since it runs in user-space, you can use it in a jail.

WWW: http://unfs3.sourceforge.net/

I've not used it for a while, but when I did it worked well enough in a jail.
 

jgreco

New Member


Messages: 3

Yeah, that's probably an option. I think there are some things to look at in terms of people who were working on porting Ganesha and Gluster as well. The downside is that it is user-space stuff, but of course we do lots of silly CPU-burning stuff these days and it all sort of works even so. ;-)
 
Top